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Abstract 

We outline some conceptual challenges in extending the PCC paradigm to a concurrent and dis- 
tributed setting, and sketch a generalized notion of module correctness based on viewing commu- 
nication contracts as economic games. The model supports compositional reasoning about modular 
systems and is meant to apply not only to certification of executable code, but also of organizational 
workflows. 


1 Introduction 

The notion of proof-carrying code is relatively well understood for sequential programs, though substan- 
tial technical challenges evidently remain in constructing practically useful PCC systems for realistic 
application domains. It would clearly be desirable to extend these techniques and results to also allow 
certification of components of concurrent and distributed systems, but here it is not so clear what a formal 
certification should even mean in principle, let alone how to realize it in practice. 

The immediate difference from a sequential setting is that components are typically running on sep- 
arate systems, communicating only by exchanging messages. Thus, instead of Hoare-style pre- and 
post-conditions for a piece of code, we must in general specify its behavior by communication contracts: 
descriptions of which messages may or must be sent between components, depending on the entire pre- 
vious communication history between them (or some more compact representation thereof). While this 
change obviously imposes some additional technical difficulties, it does not yet significantly strain the 
basic notion of certified correctness. 

Rather, we consider the main problem with extending PCC to a truly distributed (both physically 
and administratively) setting to be that even certified components or modules may ultimately depend on 
external services, whose internal structure will never be available for inspection or certification. ITence, 
correctness guarantees will in general not be absolute, but only contingent upon correct behavior of 
some uncertifiable components. But unlike the traditional setting, the client of the certified module will 
in general not be in a position to assume responsibility for correctness of all submodules used by that 
module, because those may be provided by third parties, selected by the module implementor, and in 
principle unknown to the original client. 

To reason about such systems in a compositional way, we propose a refined, quantitative model of 
contract conformance, in which component implementors are rewarded by each other for behavior in 
accordance with the agreed-upon contract, and penalized for deviations. A properly implemented (i.e., 
“correct”) component is then one that ensures that any fines it may incur for incorrect behavior will be 
at least matched by the fines it can collect from any faulty subcomponents it depended on. In particular, 
such a component will never implement a high-assurance service (i.e., one with a high penalty for failure) 
by relying on a low-assurance one. 

Incidentally, such a view of correctness may be relevant even for non-distributed systems, in that 
a monetary representation of safety or security warranties is inherently more robust in the real world 
than the mathematically ideal notion of absolute correctness that pure PCC in principle promises. In 
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particular, this “putting your money where your mouth is” notion of contract conformance allows seam- 
less integration of modules that have been machine-verified, but are not equipped with independently 
checkable certificates. 

2 A game-theoretic model 

To concretize this notion of correctness, we have developed an abstract, game-theoretic model of spec- 
ification conformance for communicating modules. Here, communication actions are seen as moves, 
contracts are interpreted as game rules (including any applicable rewards or fines associated with partic- 
ular moves), and implementations, or processes, correspond to strategies | 0 Q]. In the model, we consider 
both games and strategies at a very abstract level, namely as infinite-state automata; in practical realiza- 
tions, both contracts and processes would be expressed in suitable languages with more internal structure, 
to help guide reasoning about conformance. 

In general, a module will play simultaneous games with multiple peers, formalized as a contract 
portfolio ; a certificate represents a proof that the overall strategy is fiscally sound, i.e., that the cumulative 
payoff from all the module’s games remains non-negative at all times. In particular - , a correct module 
will never be th q first to break a communication contract, but it may be forced to do so by the previous 
failure of another module. Semantic correctness, i.e., that a process p satisfies communication contracts 
ci, ...,c n is captured by a coinductively defined relation \= p : c\, . . . ,c n . 

Moreover, the model allows compositional reasoning about correctness, in the sense that two modules 
may cooperate (by establishing an internal communication contract between them) to implement an ex- 
ternal specification. For a contract c, let c represent the same contract, but with the roles of the two play- 
ers interchanged. Then if [= p\ \ c\... c n . c\ ,c' mi and |= p2 : cf, • • . . . . ,c" 2 , where only the 

internal contracts ci,...,c„ mention any internal communication links between processes p\ and p2, the 
concurrent composition pi\\p2 (straightforwardly definable) will satisfy |= p\ \ \pi ■ c \ , . . . , c' mi , c'[ , . . . , c" . 
This can be seen as a generalization of the sequential composition rule of Hoare logic, where commands 
ci and C2 satisfying {A}ci{C} and {C}c2{fi} can be composed into ci;c2 satisfying {A}ci;c 2{#}, with 
no mention of the intermediate assertion C. 


3 Towards certification 

At this stage, we have only started looking at how to formally represent proofs that a module implemen- 
tation is formally correct with respect to its contract portfolio, i.e., a sound proof system F p : ci, . . . ,c n 
for semantic correctness. However, once the novel notion of correctness is taken into account, the prop- 
erty we are certifying is ultimately still a traditional safety property; in particular, any failures to satisfy 
a contract portfolio will be manifestly observable in finite time. In other words, we do not consider un- 
quantified liveness properties such as fairness, or even absence of deadlock; rather, it is only the failure 
to send a required message by a specific deadline that constitutes an actionable breach of contract. Thus, 
in principle, standard code-certification techniques should apply without requiring major modifications. 

It may be worth considering the significance of code certification in a software-as-service model in 
the first place: if warranties are ultimately performance-based rather than absolute, do we really need 
certificates at all? We do, of course, in essentially the same instances as for sequential settings, namely 
for code not executed by its original creator. That is, in some situation a client (interpreted broadly) 
wants to not only engage in a game with a contractor, but to actually purchase (or otherwise obtain) that 
contractor’s full strategy, meaning the actual executable code, together the the relevant service agree- 
ments with any subcontractors, who now become responsible to the original client directly. In this case, 
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the client will generally want an absolute correctness proof for the purchased strategy, which can be 
integrated modularly with that of the client’s other games. 

4 Context and perspectives 

This work was developed in the context of the project TrustCcire: Trustworthy Pervasive Healthcare 
Services (www . trustcare . eu). Paid of the broader goals of the correctness model was that the notion 
of processes and contracts should not be limited to executable computer code and communication, but 
be able to serve as a general model of interacting actors (both human and organizational), with internal 
workflow procedures for achieving specific objectives, subject to external constraints. The prototypi- 
cal scenario is the organization of tasks in a hospital, with the responsible actors representing patients 
and staff members (doctors, nurses, orderlies, receptionists, pharmacists, etc.), interacting not only by 
exchange of information, but also by physical actions, such as medical tests and procedures. 

In general, the interdependencies between these actions may be quite complex: individual patients 
may suffer from multiple conditions, drugs and treatments may interact in complex ways, test results may 
be time sensitive, etc. Thus, developing and certifying a set of workflows and best-practice guidelines 
for individual staff members, to ensure that all patients arc treated safely and efficiently, is a non-trivial 
task, well suited for (at least partial) automation. The quantitative model also allows the representation 
of relative importance of potentially conflicting constraints; for instance, (combinations of) actions that 
would significantly endanger a patient’s life would be assigned higher negative payoffs than those which 
arc merely wasteful of resources; and best-practice workflows will ensure that robust checks and balances 
arc in place that help avoid potentially dangerous outcomes resulting from isolated minor errors by 
individual actors. 

One might expect that, as patient records become increasingly electronic, formal certification of 
large-scale institutional workflows would become a licensing requirement for health care providers, in 
line with basic hygiene and staff training requirements. However, at the present time, we are targeting 
the model primarily towards certification of traditional code. 
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